Staying in control on AWS - Secure Software Development Meetup

Slide 1

Slide 1 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Marek Kuczynski Senior Solutions Architect - startups Amazon Web Services Staying in control on AWS Amsterdam Secure Software Development Meetup 28 August 2019

Slide 2

Slide 2 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In this session… • A very brief introduction to AWS • Securing your virtual machines and networks • CI/CD, infrastructure as code and best practices • Serverless computing

Slide 3

Slide 3 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. About Marek Right now – building things • Senior Solutions Architect at AWS – startups • One of the serverless experts for Benelux area Before – breaking things • Vulnerability analyst and penetration tester at Shell • Threat intelligence analyst at Shell • Penetration tester and code auditor at KPMG @marekq

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS was built to support virtually every workload Industry leading security and governance Elasticity and agility, pay as you go model Open and flexible platform Global footprint of 22 regions and over 180 POP’s Broadest and deepest choice of more than 165 services

Slide 7

Slide 7 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer obsessed of roadmap originates with customer requests 90% “Performance, reliability, and responsiveness are fundamental to our customer experience, and T3 instances help us to deliver on that customer promise while also controlling our costs.” —Heroku

Slide 8

Slide 8 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. At AWS, cloud security is job zero. All AWS customers benefit from a data center and network architecture built to satisfy the requirements of the most security-sensitive organizations.

Slide 9

Slide 9 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Gain access to a world-class security team Where would some of the world’s top security people like to work? At scale on huge challenges with huge rewards So AWS has world-class security and compliance teams watching your back! Every customer benefits from the tough scrutiny of other AWS customers

Slide 10

Slide 10 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud Customer AWS

Slide 11

Slide 11 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Defense in depth AWS Compliance Program Third Party Attestations Physical Security Groups VPC Configuration Network Web App Firewalls Bastion Hosts Encryption In-Transit Hardened AMIs OS and App Patch Mgmt. IAM Roles for EC2 IAM Credentials System Security Logical Access Controls User Authentication Encryption At-Rest Data Security

Slide 12

Slide 12 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Choices for Compute Virtual server instances in the cloud Amazon ECS, EKS, and Fargate Container management service for running Docker on a managed cluster of EC2 AWS Lambda Serverless compute for stateless code execution in response to triggers

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity Authentication Authentication: How do we know you are who you say you are? AWS Management Console API access Login with Username/Password with optional MFA (recommended) Access API using Access Key + Secret Key, with optional MFA ACCESS KEY ID Ex: AKIAIOSFODNN7EXAMPLE SECRET KEY Ex: UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY For time-limited access: Call the AWS Security Token Service (STS) to get a temporary AccessKey + SecretKey + session token For time-limited access: a Signed URL can provide temporary access to the Console

Slide 16

Slide 16 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Hierarchy of Privileges AWS Account Owner (Root) AWS IAM User Temporary Security Credentials Permissions Example Unrestricted access to all enabled services and resources. Action: * Effect: Allow Resource: * (implicit) Access restricted by Group and User policies Action: [‘s3:*’,’sts:Get*’] Effect: Allow Resource: * Access restricted by generating identity and further by policies used to generate token Action: [ ‘s3:Get*’ ] Effect: Allow Resource: ‘arn:aws:s3:::mybucket/*’ Enforce principle of least privilege with Identity and Access Management (IAM) users, groups, and policies and temporary credentials.

Slide 17

Slide 17 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail Web service that records AWS API calls for your account and delivers logs. Who? When? What? Where to? Where from? Bill 3:27pm Launch Instance us-west-2 72.21.198.64 Alice 8:19am Added Bob to admin group us-east-1 54.16.113.91 Steve 2:22pm Deleted DynamoDB table eu-west-1 205.251.233.176

Slide 18

Slide 18 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Querying IAM services How many IAM users are in our account? $ aws iam list-users Who has access to our infrastructure with(out) MFA? $ aws iam list-mfa-devices Remove API access for a user immediately; $ aws iam delete-access-key

Slide 19

Slide 19 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Using the SDK to retrieve data You can programmatically read the details of your AWS accounts and infrastructure; https://github.com/marekq/list-ec2

Slide 20

Slide 20 text

Slide 21

Slide 21 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Virtual machines – EC2 instances AMI Virtual Machine Configuration Instance Running or Stopped VM VPC AZ Availability Zone Amazon S3 EBS EBS EBS VPC EBS EBS EBS EBS Snapshots S3 Buckets Region

Slide 22

Slide 22 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Nitro System Nitro Hypervisor Nitro Card Nitro Security Chip • Lightweight hypervisor • Memory and CPU allocation • Bare Metal-like performance • VPC Networking • Amazon EBS • Local Instance • System Controller • Integrated into motherboard • Protects hardware resources • Hardware Root of Trust Modular Building Blocks for rapid design and delivery of EC2 instances

Slide 23

Slide 23 text

Slide 24

Slide 24 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Host Virtualization Firewall Physical Interfaces Hypervisor Large Small … … Virtual Interfaces Security Groups Security Groups Security Groups Small Customer Instances Physical Host

Slide 25

Slide 25 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tiered EC2 Security Groups Hierarchical Security Group Rules • Dynamically created rules • Based on Security Group membership • Create tiered network architectures “Web” Security Group: TCP 80 0.0.0.0/0 TCP 22 “Mgmt” “App” Security Group: TCP 8080 “Web” TCP 22 “Mgmt” “DB” Security Group: TCP 3306 “App” TCP 22 “Mgmt” “Mgmt” Security Group: TCP 22 163.128.25.32/32

Slide 26

Slide 26 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Modernizing your application Amazon DynamoDB Amazon RDS Amazon ElastiCache Amazon S3 Amazon Elasticsearch Amazon Redshift logging rich search key/value simple query hot reads analytics complex queries & transactions

Slide 27

Slide 27 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retrieve database credentials securely AWS Resources Your Code Operating System EC2 Instance Authorized call to Secrets Manager Other Resources AWS credentials plumbed (as before) DB creds loaded DB creds returned connection established Safe rotation Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials

Slide 28

Slide 28 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use IAM roles to grant access to instances AWS Resources Your Code Operating System EC2 Instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS

Slide 29

Slide 29 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Inspector • Vulnerability Assessment Service • Built from the ground up to support DevSecOps • Automatable via APIs • Integrates with CI/CD tools • On-Demand Pricing model • Static and Dynamic Rules Packages

Slide 30

Slide 30 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Session Manager • Connect to your instance directly from the console. • All sessions and commands are logged. • No need to provision SSH keys or open up security groups.

Slide 31

Slide 31 text

Slide 32

Slide 32 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build Test Release Build Test Release Build Test Release Build Test Release Microservice Development Cycle Developers Services Delivery Pipelines

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Slide 36

Slide 36 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. v2 v2 v2 v2 v2 v2 One at a time Half at a time All at once v2 v2 v2 v1 v1 v1 v2 v1 v1 v1 v1 v1 Agent Dev deployment group OR Prod deployment group Choose deployment speed and group Agent Agent Agent Agent Agent Agent Agent

Slide 37

Slide 37 text

Slide 38

Slide 38 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Use dedicated AWS accounts AWS Organizations can create an OU-like structure of all your accounts. Service Control Policies (SCP’s) can be applied on accounts to restrict functionality.

Slide 39

Slide 39 text

Slide 40

Slide 40 text

Slide 41

Slide 41 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best practices regarding AWS accounts • Your production AWS accounts are read only and deployments happen through pipelines only. • Dedicated security accounts are used to store CloudFormation any any other relevant logs (acting as the “black box” in case of a security event). • Acceptance and test environments allow a bit more access, but for example block any external, Internet facing exposure.

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Slide 44

Slide 44 text

Slide 45

Slide 45 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Event based architectures SERVICES (ANYTHING) Changes in data state Requests to endpoints Changes in resource state EVENT SOURCE LAMBDA FUNCTION Node.js Python Java C# Go Ruby PowerShell Bring your own runtime

Slide 46

Slide 46 text

Slide 47

Slide 47 text

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A serverless web application Data stored in Amazon DynamoDB Dynamic content in AWS Lambda Amazon API Gateway Browser Amazon CloudFront Amazon S3 Amazon Cognito